Tutorial – Capturing, Sanitizing and posting Ethereal dumps

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Ethereal can be used with very specific filters to capture precise traffic at a very granular level. This tutorial will concentrate on the basic filters, how to save the captured traffic, sanitize the capture so it doesn’t reveal your IP address or that of the remote machine so that you can post it to the public internet for others to review and comment on.

Basic Capture Filters

Having installed the appropriate packet capture driver for you version of Ethereal and installed it you can begin capturing packets. The fourth item from the left on the menu bar is the capture option. Click it and select Start. This will bring up the capture panel. At the top you will see the available network cards you can capture on. Usually there will be only one so this should be left as it is. If there are more than one simply click OK and open a web browser to your home page. If the capture window shows traffic then this is the correct network card. If you get no traffic captured stop the capture, select the next card on the list and repeat this process till you capture traffic.

Ethereal has the ability to capture traffic only to and from your machine or, on a hubbed network or a switched network with port spanning you can capture all traffic the network card sees if you click the “Capture packets in Promiscuous Mode” button. For home users this usually won’t be necessary since the traffic you are interested in will usually be to and from your own machine.

Once you know which network card to use you can begin to capture traffic. If you put nothing in the Filter line you will get all the traffic to and from your machine and even though you can apply filters subsequently I prefer to apply my filter up front. The following are examples of filters you can use. Substitute the appropriate IP addresses and Port numbers for the traffic you want to capture yourself.

1. All traffic to and from my machine only, (only useful in Promiscuous Mode)

host 192.168.1.1

2. All traffic to and from a remote host, (either Promiscuous Mode or Normal Mode)

host 10.0.0.1

3. All traffic to and from a particular port, (either Promiscuous Mode or Normal Mode)

port 80

4. All traffic initiated by the specific host, (Captures both sides of any conversation initiated by the host), (either Promiscuous Mode or Normal Mode)

src host 10.0.0.1

5. All traffic initiated to a specific host, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)

dst host 192.168.1.1

6. All traffic initiated by the specific host on a given port, (Captures both sides of any conversation initiated by the host), (either Promiscuous Mode or Normal Mode)

src host 10.0.0.1 && port 80

7. All traffic initiated to a specific host on a specific port, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)

dst host 192.168.1.1 && port 80

8. All traffic initiated to a specific port regardless of IP address, (Captures both sides of any conversation received by the host), (either Promiscuous Mode or Normal Mode)

dst port 80

As you can see the “&&” allows you to join “phrases” together to make more and more specific filters. Another useful operator is “!”, (without the quotes). This operator negates the following “phrase” so !port 80 would mean “Don’t report traffic on port 80”. So you can build quite complicated filters like the one below:-

The above filter would capture all traffic to 192.168.1.1 except traffic from 192.168.1.2. The traffic captured must have come from port 53 but it must not be destined for port 80….. (All rather simple really…. )

Saving your output in a text managable format.

Ok, now you have the data you want you need to save it. If you use the standard Save option from the menu you will be presented with all sorts of format options. If you save to them and then go and try to read the output you will find, (unless you are uB3r l33t), that they are meaningless to you. Rather than select Save, select Print instead. On the panel presented select the following options:-

1. Click Plain Text
2. Select Output to File and enter a name such as MyEtherealDump.txt, (always save it as a .txt file please).
3. Click All Packets, (or Selected Packet Only if that’s all you want to save).
4. Click All Dissections Expanded
5. Make sure Packet Hex Data is not selected or you will have to find and replace IP addresses in Hex too.
6. Click Print

Your results should look something like this, (this is a single packet your’s may have many)

. You will notice that in the text there are lots of Source and Destination lines that show both my IP address and yahoo’s IP address, (the remote machine). It is not usually a good idea to display either publicly on the internet. What I recommend is that you clearly state when you post your Ethereal dump that “I have replaced the IP address of the target computer with the address xxx.xxx.xxx.xxx and the IP address of the remote computer with the address xxx.xxx.xxx.xxx”. I recomment that you use private addresses such as 192.168.xxx.xxx, or 10.xxx.xxx.xxx as the replacements. Use your favorite text editor to do “search and replace all” for both your IP address and the address of the remote machine and save the file again.

NOTE: Do not worry about the hex addresses in the highlighted portion in the packet dump above. Those are the MAC addresses of the last router and your computer and are only useful to an attacker if they are already on your local network.

Now you can either cut and paste the dump staraight into your post if it is short or attach the text file to your post if it is long.

About admin
Former Freehand Freelance Graphic Illustrator...
been online since 2004 ( late starter ), blogging since 2005, presently writing a suspense-thriller e-book that began as a screenplay.
View all posts by admin →

There are 960 Games on the 10 Game
Blogs. All AD-Free Game play. Laid-out in easy to find categories with
no more than 5 games per category. All hand-picked games to offer you
the Best the Internet has to offer.No need to flip through page after
page to find something worth playing, no distracting ADs getting in the
way of game play, and no sifting through endless crap and junk to find
something worth while.Other sites may have more games...but
when you have the best you don't need more games.